Hi all,
I've downloaded and installed the 3.0.2pre1 package. However, I've not
managed to get winbindd working. I've run into a credentials cache problem
(so I haven't been able to even get to the point I was at before).
My krb5.conf and pam settings haven't changed and I'm using the same
smb.conf as before. I'm using MIT Kerberos 1.3.1 (in /usr/kerberos/). Here
are some excerpts from the winbindd log file (at debug level 10).
[2004/01/07 16:15:34, 3] libsmb/cliconnect.c:cli_session_setup_spnego(705)
got principal=dc01$@DOMAIN.COM
[2004/01/07 16:15:34, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(509)
Doing kerberos session setup
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 4] nsswitch/winbindd_cm.c:cm_open_connection(186)
failed kerberos session setup with NT_STATUS_UNSUCCESSFUL
[2004/01/07 16:15:34, 5] nsswitch/winbindd_cm.c:cm_open_connection(218)
anonymous connection attempt to DC01 from SOME-SERVER
... a bunch of data for pipe/connection (I think)...
[2004/01/07 16:15:34, 3] nsswitch/winbindd_util.c:add_trusted_domain(142)
add_trusted_domain: DOMAIN is a native mode domain
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
Added domain DOMAIN DOMAIN.COM
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(66)
wcache_flush_cache success
[2004/01/07 16:15:34, 10] nsswitch/winbindd_cache.c:alternate_name(1306)
alternate_name: [Cached] - doing backend query for info for domain DOMAIN
[2004/01/07 16:15:34, 3] nsswitch/winbindd_ads.c:alternate_name(952)
ads: alternate_name
[2004/01/07 16:15:34, 6] libads/ldap.c:ads_find_dc(147)
ads_find_dc: looking for realm 'DOMAIN.COM'
[2004/01/07 16:15:34, 8] libsmb/namequery.c:get_sorted_dc_list(1215)
get_sorted_dc_list: attempting lookup using [hosts]
[2004/01/07 16:15:34, 10] libsmb/namequery.c:remove_duplicate_addrs2(312)
remove_duplicate_addrs2: looking for duplicate address/port pairs
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1350)
get_dc_list: returning 1 ip addresses in an ordered list
[2004/01/07 16:15:34, 4] libsmb/namequery.c:get_dc_list(1351)
get_dc_list: 192.168.3.2:389
[2004/01/07 16:15:34, 5] libads/ldap.c:ads_try_connect(56)
ads_try_connect: trying ldap server '192.168.3.2' port 389
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_connect(218)
Connected to LDAP server 192.168.3.2
[2004/01/07 16:15:34, 3] libads/ldap.c:ads_server_info(2030)
got ldap server name dc01@DOMAIN.COM, using bind path: dc=DOMAIN,dc=COM
... some more junk...
[2004/01/07 16:15:34, 3] libads/sasl.c:ads_sasl_spnego_bind(191)
got principal=dc01$@DOMAIN.COM
[2004/01/07 16:15:34, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2004/01/07 16:15:34, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65)
ads_connect for domain DOMAIN failed: Operations error
[2004/01/07 16:15:34, 1] nsswitch/winbindd_util.c:init_domain_list(284)
Could not fetch sid for our domain DOMAIN
[2004/01/07 16:15:34, 0]
nsswitch/winbindd_util.c:rescan_trusted_domains(170)
rescan_trusted_domains: Can't find my own domain!
The machine had been joined to the AD domain some time back (IP share access
was working yesterday) and a kinit gets my principal.
$ klist -e
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: username@DOMAIN.COM
Valid starting Expires Service principal
01/07/04 15:47:17 01/08/04 01:45:18 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
01/07/04 15:50:02 01/08/04 01:45:18 dc01$@DOMAIN.COM
renew until 01/08/04 15:47:17, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
Is there something I'm missing with my setup? Where does winbindd look for
the credentials cache by default?
Below is my smb.conf. The pam settings for samba and login are identical to
that in the HOW-TO at samba.org. Same with the krb5.conf file.
Any ideas? I've got a deadline approaching and I'm really in a crunch.
Any
help is appreciated.
Thanks,
Brian
smb.conf:
[global]
; smbd settings
log level = 3
log file = /var/log/samba/log.%m
server string = %u [Samba Server %v]
; Active Directory settings
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
client use spnego = yes
use spnego = yes
local master = no
domain master = no
preferred master = no
domain logons = no
os level = 0
; winbind stuff
winbind separator = +
allow trusted domains = no
obey pam restrictions = yes
winbind enum users = yes
idmap uid = 10000-20000
winbind enum groups = yes
idmap gid = 10000-20000
password server = 192.168.3.2
encrypt passwords = yes
template homedir = /home/%D/%U
template shell = /bin/bash
